Question 83. What are the CFB
and OFB modes?

The Cipher Feedback (CFB) mode and the Output Feedback (OFB) mode
are two more standard modes of operation
(see Question 82) for
a block cipher.

In CFB mode (see Figure 5), the previous ciphertext block
is encrypted and the output produced is combined with the plaintext
block using exclusive-or to produce the current ciphertext block.
It is possible to define CFB mode so that it uses feedback that
is less than one full data block. An initialization vector
(see
Question 82) or value c0 is used as a "seed"
for the process.

Figure 5. Cipher Feedback Mode

CFB mode is as secure as the underlying cipher and plaintext patterns
are concealed in the ciphertext by the use of the exclusive-or
operation. Plaintext cannot be manipulated directly except by
the removal of blocks from the beginning or the end of the ciphertext.
With CFB mode and full feedback, when two ciphertext blocks are
identical, the outputs from the DES operation at the next step
are also identical. This allows information about plaintext blocks
to leak. When using full feedback, the speed of encryption is
identical to that of the block cipher, but the encryption process
cannot be easily parallelized.

OFB mode (see Figure 6) is similar to the CFB mode except
that the quantity exclusive-ored with each plaintext block is
generated independently of both the plaintext and ciphertext.
An initialization vector s0 is used as a "seed"
for a sequence of data blocks si,, and each data block
si is derived from the encryption of the previous data
block si-1. The encryption of a plaintext block is derived
by taking the exclusive-or of the plaintext block with the relevant
data block.

Figure 6. Output Feedback Mode

Feedback widths less than a full block are not recommended for
security
[DP83][Jue83]. OFB mode has an advantage over CFB mode
in that any bit errors that might occur during transmission are
not propagated to affect the decryption of subsequent blocks.
However, by changing the ciphertext the plaintext can easily be
manipulated. The speed of encryption is identical to that of the
block cipher. Even though the process cannot easily parallelized,
time can be saved by generating the key stream before the data
is available for encryption.